entities are permitted to disclose protected
health information (PHI) to public health authorities
or other agencies that are authorized by law to collect or
receive such data. No authorization
from the patient is needed.
entities are generally obligated to limit disclosures to the
minimum necessary to
accomplish the public health purpose(s). Routine, recurring
disclosures will typically be governed by institutional policies
and procedures that aim for this standard. Covered entities
may accept the representation of a public health authority
that any particular disclosure is the minimum necessary.
Public health authority
is defined under HIPAA as "an agency or authority of
the United States, a State, a territory, a political subdivision
of a State or territory, or an Indian tribe, or a person or
entity acting under a grant of authority from or contract
with such public agency, including the employees or agents
of such public agency or its contractors or persons or entities
to whom it has granted authority, that is responsible for
public health matters as part of its official mandate."
may relate to
- the reporting
of diseases or injuries;
events" such as birth or death;
- the conduct
of public health surveillance, investigations, and interventions.
are typically governed in detail by state laws, and are made
to state public health agencies. These activities are not
preempted by HIPAA.
at the direction of a public health authority these disclosures
may also be made to an official of a foreign government agency
engaged in a collaborative effort.
the Food and Drug Administration (FDA), or to individuals
or corporate persons subject to the jurisdiction of the FDA,
are permitted for purposes related to the quality, safety,
or effectiveness of FDA-regulated product or activities. These
- collecting or
reporting adverse events (or similar activities regarding
food or dietary supplements), product defects or problems
(including problems with the use or labeling of a product),
or biological product deviations;
- tracking FDA-regulated
- enabling product
recalls, repairs, or replacement, or for lookback (including
locating and notifying persons who have received products
that have been withdrawn, recalled, or are the subject of
- conducting post-marketing
Note that the reporting
of adverse events and other problems is not restricted to
the FDA or persons subject to the jurisdiction of the FDA.
A covered entity may disclose PHI to any public health authority
that is authorized to receive or collect a report on an adverse
event. In addition, to the extent an adverse event is required
to be reported by law, the disclosure of PHI for this purpose
is also permitted.
permitted to a person who may have been exposed to a communicable
disease or may otherwise be at risk of contracting or spreading
a disease or condition, if the covered entity or public health
authority is authorized by law to make such notifications.
be made to an employer, about an individual who is a member
of the workforce of the employer, in the following cases:
- the covered
entity is a covered health care provider who is a member
of the workforce of such employer or who provides a health
care to the individual at the request of the employer to
conduct an evaluation relating to medical surveillance of
the workplace; or to evaluate whether the individual has
a work-related illness or injury;
- the PHI that
is disclosed consists of findings concerning a work-related
illness or injury or a workplace-related medical surveillance;
- the employer
needs such findings in order to comply with its obligations,
under 29 CFR parts 1904 through 1928, 30 CFR parts 50 through
90, or under state law having a similar purpose, to record
such illness or injury or to carry out responsibilities
for workplace medical surveillance.
In such cases,
the covered health care provider must provide written notice
to the individual that PHI relating to the medical surveillance
of the workplace and work-related illnesses and injuries is
disclosed to the employer, by giving a copy of the notice
to the individual at the time the health care is provided,
or, if the health care is provided on the work site of the
employer, by posting the notice in a prominent place at the
location where the health care is provided.
If the covered
entity is also a public health authority, it is permitted
to use PHI in all the ways described above, for which it is
permitted to disclose PHI to other public health entities.